ON DEMAND: https://attendee.gotowebinar.

com/recording/6248291894031589902

Zero-Trust Access from

Fortinet
Identify, Authenticate, and Monitor the Users
and Devices on and off the Network
NSE Insider Webinar
9/24/2020

Peter Newton, Sr. Director of Products and Solutions

Enterprise Access Trends

Single Continuous Verification Teleworker

Authentication of Identity & Risk

By 2024, 70% of application access will Workforce shifts from 4% teleworking to

use MFA, up from 10% today1 30% teleworking by end of 20212

BYOD IoT OT Digital Transformation

By 2025, there will be 12B installed By 2025, there will be 3.7B installed IoT
IoT devices3 devices deployed into manufacturing,
utilities, and transportation industries.3
1 Gartner Magic Quadrant for Access Management, 12 August 2019
2 Global Workplace Analytics
3 Gartner. IoT Forecast © Fortinet Inc. All Rights Reserved. 2
Numerous Edges Must Be Secured and Protected

Manage Risk Automate Operations

Users Campus
On Network

Identity WAN
Edge Branch Edge
Private
Cloud
Factory

DC
Home Edge
Devices Edge

Home

Public
Travel
Cloud
Endpoint
Cloud
Edge
Edge

Off Network
© Fortinet Inc. All Rights Reserved. 3
Fortinet Cybersecurity Platform
Enterprise Security Fabric

Zero-Trust Access Security-driven Dynamic Cloud AI-driven Security

Networking Security Operations Fabric
Management
Center

Endpoint
Network Firewall Applications Endpoint Security
Access

NAC SD-WAN Platform Breach Prevention

Identity Secure WLAN/LAN Network Incident Response

SASE/SWG

© Fortinet Inc. All Rights Reserved. 4

Zero-Trust Access
Endpoints Multi-Cloud
Knowing and
Mobile Controlling
Campus
Data
Center Everyone and
Home
Everything on and
Factory
Call
Center off the Network
Ensures consistent security
Operational policy across the network, the
Technologies
cloud, and off-network
Branch
Edge Compute

Partners
IoT
Customers

© Fortinet Inc. All Rights Reserved. 5

Zero-Trust Access Main Use Cases

User Identity and Device Discovery and Teleworker and

Access Control Dynamic Control Off-Network Access

© Fortinet Inc. All Rights Reserved. 6

Zero-Trust Access
What does it include?
Controls WHO Controls WHAT Controls devices
is on the network is on the network off the network

Identity Access Management

FortiAuthenticator FortiToken

Network Access Control

FortiNAC

Endpoint Access Control

FortiClient Fabric
Agent w/ SASE

© Fortinet Inc. All Rights Reserved. 7

Use Case 1
Knowing WHO is on the network
Zero Trust Access—User Identification
Knowing WHO is on the network

IDENTITY IS A CORNERSTONE OF EFFECTIVE

SECURITY POLICY
• Who is the user?
• Employee?
• Guest?
• Contractor?
• Vendor?
• How do you know?

• What access should they get?

• User’s Role determines access rights and security services
• A Least Access Policy allows access only to resources
necessary for the role / job

© Fortinet Inc. All Rights Reserved. 9

Key Use Cases of IAM

Authentication Services Multi-factor Authentication

• Cert-based: VPNs, Wi-Fi, Machine/Device • Email / SMS
• Cloud-based: SAMLv2, oAuthv2, OIDC, • Hardware, Software Token
RestAPI • Cloud-based Token
• Contextual: Location, Network, Time-of-Day • FIDOv2 (soon)
Reduce risk by connecting right users Defeat stolen/hacked
to right resources username/password

Certificate Management Single Sign-On (SSO)

• Guest Management Integration with • Web / Cloud Apps
• Device Onboarding System of Records • Network Resources

Enable secure communications • On-Prem Directory Services

• Cloud Directory Services Reduce user security fatigue
with customers
• Web / Apps Identity Stores

Increase operational efficiency and

security effectiveness

© Fortinet Inc. All Rights Reserved. 10

Zero Trust Access—User Identification
Knowing WHO is on the network
SAML 2.0

SaaS
Certificate Server FortiAuthenticator FortiToken
FortiAuthenticator

Fortinet Single Sign On

FSSO

Guest Portal

FortiToken
Two-Factor REST API
Internet Generic RSSO
Source RADIUS Accounting
Syslog

Authentication Role-based Access Single Sign On

Establish identity though user log-in, Provide information from Reduce end user fatigue while
certificate, and / or multifactor input authentication source for use maintaining security
in privileged access

© Fortinet Inc. All Rights Reserved. 11

Zero Trust Access—User Identification
Knowing WHO is on the network

Customer Overview

Large Government / State Healthcare System

Project Details Key Requirements What They Deployed

• Government agency needed to
improve their medical services
• Remote medical appointments
• Securely managing electronic
medical records
• Access control to their patients and
employees
• Meet HIPAA Requirements
• Ensure the security of medical data
• Provide secure controlled access
• Provide Secure WAN access
• Offer central management and reporting
• Offer secure authentication
• (1) FortiManager-3000F
• (1) FortiAuthenticator 3000E
• (1) FortiAnalyzer 3500F
• (1) FortiAnalyzer 2000E
• (2) FortiGate 1500D Ent Bundle
• (15) FortiGate 200E Ent bundle
• (5) FortiGate 80E Ent bundle
• (15) FortiGate 50E Ent bundle
• (347) FortiAP-320C-N

© Fortinet Inc. All Rights Reserved. 12

Fortinet Identity Management Vision
Ubiquitous Identity Store for On-Prem, Virtual, and Cloud
Flexible Form-factor Simplified Enhanced MFA
and Billing Deployment Capabilities

Hybrid Form-Factor Deployment Seamless User Experience

• Policy for user, device, and application • SSO via multiple authentication
IDaaS • Integration across multiple identity methods
sources • FIDO support
Appliance Cloud Metered • Multi-tenancy for large enterprise • Continuous contextual authentication

Identity: Effortlessly and Confidently Know WHO Is on the Network

© Fortinet Inc. All Rights Reserved. 13
Use Case 2
Knowing WHAT is on the network
Key Use Cases of Network Access Control

Device Discovery and Control User Access Control

Knowing and controlling everything Policy-based user access controls that

that is on the network include who, where, when, and
how metrics

IoT visibility and protection Protection from standard attacks

Device Risk Assessment BYOD and Guest Access

Ensure managed devices onboard with Onboarding guests and personal devices
approved firmware profiles, including in a consistent, automated, and
remote VPN access secure manner

Consistent device posture Offload IT tasks and increase security

© Fortinet Inc. All Rights Reserved. 15

Zero Trust Access—Device Proliferation
Knowing WHAT is on the network FortiNAC
FortiNAC FortiNAC
Security
Devices

Remote Location
Data Collection
SNMP CLI Radius Syslog API DHCP

Corporate
Headquarters Remote Location

Switch Router Access Firewall SIEM IDS/IPS

Point
Remote Location

Visibility Dynamic Control Continuous Response

Device identification, profiling, Dynamic micro-segmentation Automated response and

and vulnerability scanning Supports intent-based segmentation network orchestration
Extends Security Fabric

© Fortinet Inc. All Rights Reserved. 16

Visibility
Endpoint identification

Device Classification
• Automatic or Manual
>Sponsor Notification
• Device Type
• Confirm on Connect
• Disable if Confirmation Fails

20 Profiling Methods
• More Methods = Higher Trust

© Fortinet Inc. All Rights Reserved. 17

Continuous Device Profiling

 Printer connected  MAC notification trap  FortiNAC Profiles  FortiNAC Informs

to network triggers FortiNAC device as printer Fabric to allow
Printer-type access
to network

Containment of Lateral Threats at Edge

 User brings infected  FGT sends  FortiNAC quarantines the  Virus contained
laptop to work event FortiNAC laptop at access layer at switch node
© Fortinet Inc. All Rights Reserved. 18
Key Platform Differentiators
Broad Device Awareness (and Enforcement)
• Supports more than 2,400 network infrastructure devices
• Bidirectional APIs for integrating FortiNAC with other 3rd party platforms (150+ vendors)
• Device identification in seconds
• Device sponsorship

Wired and Wireless Capability

• Not reliant on 802.1x for discovery or enforcement
• Consistent experience, equally effective on switching and wireless networks

Scalable Architecture
• Architecture does not require viewing network traffic, thus eliminating the need to deploy an
appliance (virtual or physical) on every site in a multi-site installation
• Can be readily deployed by Service Providers and MSSPs due to virtual machine and cloud-based
deployment options

© Fortinet Inc. All Rights Reserved. 19

Elements of Network Access Control Solution

Appliances Virtual Machines Protection License Levels

• 3 Control & Application
Appliances
• Manager (concurrent license
coordination)
(most popular)  Base
• Control / Application VM • Device Detection & Control
• Manager VM (concurrent  Plus
license coordination) • Full Detection & Control
 Pro
• Detection, Control, & Response

© Fortinet Inc. All Rights Reserved. 20

Zero Trust Access—Device Proliferation
Knowing WHAT is on the network
Customer Overview

• Global Insurance Financial Services Company

• HQ in Atlanta
• Exploring SD-WAN for global deployment

Project/Requirements Forescout Issues Solution Deployed

• Exist in current infrastructure • 10-minute delay to detect devices at HQ • FortiNAC

• Checkpoint FW
• Cisco switch & WLAN
• Project to expand NAC to global
network
• Forescout pilot at HQ
• X-box at remote site never discovered • Detected devices in seconds
• $2M project to expand w/Forescout • Passed POC with flying colors
• $0.5M to deploy

© Fortinet Inc. All Rights Reserved. 21

Fortinet Network Access Control Vision
Visibility and enforcement across entire network
Simplified Scalability for
Enhanced Visibility
Deployment Managed Services

Discovery Deployment NACaaS

Cloud-based Vertical-specific Use-case Pre-populated Enhanced Fabric Database MSSP Manager

lookup Device ID workflows Profile database Integrations Re-design

Network Access: Know and Control WHAT’s on Your Network

© Fortinet Inc. All Rights Reserved. 22
Use Case 3
On-net, off-net protection
Zero-Trust Access—Device Protection
On-net, off-net protection FortiClient
Fabric Agent

Branch

HQ/Campus

Remote Workers

Endpoint Visibility Hygiene Control Secure Remote Access

Endpoint telemetry Vulnerability scanning Dynamic access control

Security posture Web filtering VPN
Patching policy
Applications Dynamic grouping Single Sign On (SSO)

© Fortinet Inc. All Rights Reserved. 24

Zero-Trust Access—Device Protection
On-net, off-net protection
Car Dealership
• Large automotive group in the Netherlands
• 91 locations
• 2,200 employees
• Annual revenue €1.1 billion
• Auto sales, leasing, financing, and service businesses

Project Details Key Requirements What They Deployed

• Security upgrade (GDPR) • Strong security • FortiGate 501E, 101E and 61E
• Connectivity—User laptops, all offices • Integrated solution—One vendor to • FortiGate VM (for Azure)
locations with Datacenter and public secure datacenter, branch, endpoints • FortiClient w/EMS 2300 licenses
cloud connectivity • GDPR compliance to ensure data • FortiManager VM
• Secure datacenter security and data sovereignty
• FortiAnalyzer
• SDWAN • Endpoint visibility / compliance control
• FortiSwitch / FortiAP

© Fortinet Inc. All Rights Reserved. 25

Zero-Trust Access Value Prop
CHALLENGES BENEFITS

Increase security with 2-Factor

Weak and Stolen Passwords
Authentication (2FA)

Automate discovery and onboarding

Explosion of Edges in the Network
of users and devices

Micro-segmentation with policy-based,

Growing IoT Attack Surface
least privilege access

Off-network telemetry and

Visibility and Control of Remote Workers
policy enforcement

© Fortinet Inc. All Rights Reserved. 26

Zero-Trust Access
Endpoints Multi-Cloud
Knowing and
Mobile Controlling
Campus
Data
Center Everyone and
Home
Everything on and
Factory
Call
Center off the Network
Ensures consistent security
Operational policy across the network, the
Technologies
cloud, and off-network
Branch
Edge Compute

Partners
IoT
Customers

© Fortinet Inc. All Rights Reserved. 27

© Fortinet Inc. All Rights Reserved. 28